sigstore-go icon indicating copy to clipboard operation
sigstore-go copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Allow configurable algorithms in verification

Open tetsuo-cpp opened this issue 1 year ago • 2 comments

Summary

Support configurable signing algorithms in sigstore-go's verification flow. We already have the signing key/certificate so we can use the artifact digest algorithm information to figure out what hash function is being used.

Release Note

Documentation

tetsuo-cpp avatar Jan 16 '24 09:01 tetsuo-cpp

CC: @ret2libc

tetsuo-cpp avatar Jan 16 '24 09:01 tetsuo-cpp

I think it's best to get this in first and follow up with the change to restrict algorithms via a --allowed-signing-algorithms flag since it's not straightforward with the current CLI flags library.

tetsuo-cpp avatar Jan 16 '24 09:01 tetsuo-cpp

Now implemented.

haydentherapper avatar Apr 23 '25 19:04 haydentherapper